 Because now we get to a talk that I am very fond of personally because some of my best friends have critical infrastructure and it is a kind of thing in this pandemic you have to say have to deal with this infrastructure and so I'm even the more happier to have as far as you can say have, Honk Hase in this room or Manuel Ahtug as his civil name goes. Honk is one of the co-founders of the critical infrastructure working group and he does a lot with security. If you look at his track record 23 years in information security and you have to say in the end this is an old hair as the German saying goes, an old rabbit. So wow, thanks for all the experience points that you are contributing to this talk and at this point, well what talk is it going to be? Yes, critical infrastructure in times of the pandemic and everyone that is lucky enough to work in groups that are regarded as critical, well you can report about your experiences and you can listen as well and maybe learn a bit more and at this point I would just like to say applause and go ahead, Honk the stage is yours. Yes, thank you Puppe and I have given a talk from a point of view of a critical infrastructure auditor and that was interesting to see how critical infrastructure is actually being provided and today I'm going to show you a few topics about critical infrastructure in times of a pandemic, things that keep things running in the background as it were. Okay, Puppe did say I have been in this for 23 years now. My core issues are critical infrastructure, that is a passion, hack back because we want to see threats to critical infrastructure, ethics, cyber resilience and protecting the population because ultimately we do want to keep being able to type vigorously so how to secure that is what I'm going to talk about a little but before we go into that I would like to define the critical terms as it were because the legal definitions are in no way trivial so let's have a run through those so that you can actually have some insights later on to see what the legal foundations are and how easy or complex it is and then I'll give you six examples that I brought along. So legal definitions of operators of critical infrastructure, who is an operator of critical infrastructure? Let's start from the top through the various levels. The European Union defined it in a regulation called NIS version 1.0 is enforced to zero is being worked upon so this is about operators of relevant services. There are seven services that are identified and this is about defining measures to ensure that a common security level of information system and network system is in place, sound sensible not so trivial to implement and from this regulation the IT security law was reduced and now let's go to the Federal Republic of Germany. There is a unique definition of critical infrastructure on the federal and federal state levels and these organizations or institutions with importance for the state structure and where the failure or limitation would lead to dramatic or sustained bottlenecks in supply and disturbances of public security or other dramatic consequences. It sounds drastic but that's what it is. If the health structure for example were not working in a pandemic we would have a real crisis on our hands as the pandemic already is and in addition to these seven sectors we have two more that are a bit separate in Germany or special. The first one is state and administration and the second is media and culture. State and administration cannot just be regulated, can be regulated by the Federal Office for Information Security and media and culture is regulated at the federal state level so you have to look at the individual states and not get involved there from a higher level. And then we have the German IT security law 1-0 which is used from the NIS regulation as I've said so that is the law to increase security of information technology systems. So this covers well ultimately the objectives that we talked about securing IT infrastructure and improving IT security in the federal administration, well improving protection for people in the internet and the sectors here are more or less the same that were defined by the EU so energy, transport and traffic, finance and and insurances, health, water, nutrition and information technology and communication technology and D2O law is being worked upon just as the regulation to always being worked upon but again yeah. From the IT security law there are some further things that are reduced in the law about the German Federal Authority for Security Information Technology so this defines their tasks and their rights and their rights regarding increasing relevance of these technologies and so we have these German white sectors and these two special cases that are laid down in the law about the BSI the Federal Agency for Information Security and that regulates both the agency and the operators and linked to that we're still not finished with the legal foundations so one more I have there is the BSI regulation on critical infrastructure which defines threshold values for the each individual sector the performance they have to provide so water for example or sewage that these are two categories someone who runs infrastructures like that and the threshold values here mean that at what point an operator or service provider in this sector has to be regarded as a critical provider and it's quite easy the threshold values in each of these sectors are blanket values that say 500 people 500,000 people that is the measure so if you provide 500,000 people say with the average amounts of water or electricity then if that is the capacity you have you are critical so one more there are regulations at the federal state level too so I picked the federal state of North Rhine-Westphalia and they have a corona operating regulation there that has been updated as well so some definitions were taken out the paragraph I quote on this slide that does no longer exist but they did try to say well we have to regulate the protection from reinfection in daycare for example or important services or services critical to the system so every regulation calls it differently every federal state has its own regulation so these are the classical sectors are named and that includes state administration at the federal state level too and the media but also schools support for children young people or disability people with disabilities so all the kind of infrastructure where you have to protect people from being reinfected and the federal states of course that is quite scary there was a lot of back and forth there between about competencies and that is still in flux but so much about the overview and now we have time for the six exams I brought along so one challenge that became visible early last year as early as January it was addressed with providers of critical infrastructure so way before the first let's call it lockdown home office whatever so as early as January these people dug out their pandemic concepts and said okay we have to respond there some people some operators came afterwards in February but this was actually realized ahead of time there were no actual failure failures that became known but keeping staff ready was important to make sure the services could still be provided I cannot operate a plant without a water plant without keeping the pumps going making sure that water purity is sustained and so there are some high demands on drinking water tap water as compared to bottled water for example so what was the scenario there well traveling of staff from their residences to the workplace so public transport wasn't operating at some point so if they form carpools of course there is an infection risk contact to other people these people go home and in touch with families shop assistance and whatever and exposition to an infection with COVID-19 was of course always possible so how do you deal with that and the consequences were staff being unavailable and infection risks within the staff so how can we act against that was the question for there are concepts for a pandemic or some updated them spontaneously which is dusted them off and looked at them again but many had working constructs in place and you have to say it's not that bad but the challenge definitely was there so what did the solutions look like if you have a control room for say a power station water plant you have to make sure that the system the critical team is isolated the people that run these control rooms but also electricians that have to fasten a screw or something that those people are on site and these people have to be provided with accommodation because they were isolated so they really are separated they had to have been they had to sleep at the workplace these places would activate it or provide it and most of these asked whether they wanted to voluntarily self isolate depending on the cycles they have so they would be given a bonus for that and the public the population is going to love you and of course you can stay in touch with your family but remotely please so we will provide that of course and we will provide sleeping arrangements and all that what you would also to take in mind was of course daily needs such as washing machines food both prepacked and to some extent fresh food through a security lock so that these people could be released applied and a certain protection could be put in place and to maintain all that disinfect all that that was an extra effort so drinking water was supplied these people didn't have water on tap and they were also given drinking water tea or coffee coffee yeah of course so everything you need as daily provisions would be there and and the supplier was insured and what also had to be insured was psychological care and psychological care and keeping people occupied outside work hours if you keep seeing the same three four people all the time it's tough you have the family outside in this unclear situation just think back March April April May last year nobody really knew what would happen there were new studies coming out every day almost with new findings and politics said oh yeah we do this no we won't do it and now we change and so the in this situation to leave your family alone and and just goes to save the general population that is a lot of pressure and there was care needed for that where it was necessary it was provided and of course there are always individual cases where that was forgotten or wasn't provided well many individual cases if you look to hospitals or care homes the health sector of course wasn't too well handled by politics as we all know just imagine going on your back going on to your balcony is at 8 and giving applause but then when wage negotiations took place suddenly no wage rise was agreed so that kind of pressure doesn't really help you stay motivated and so all this came together so staff that was critical measures were taken to compensate for any losses and large operators such as nuclear power station control rooms said we have one operating team on site and another team independently isolated in another place in separate rooms perhaps or another location so if for some reason the main team would be infected by COVID and we would not be able to prevent that these people might all just fail and we have to have another team available and some even had a third one so the worst case scenario some in some services was that two teams would become unavailable and still services had to be provided and this went on mostly in the background there was hardly any press coverage I think municipal works in Vienna reported you can do some research but mostly for many years these services I run in the background so there's not that much public awareness so a huge thank you to all system critical operators all the people that went into isolation and that did their shifts all the time in times of crisis that is a huge thank you it's worth a huge thank you and I bow to you and I give you my respect yeah second challenge what else did we have we were talking about fresh water and then that has the water has to be removed somehow so sewage what did we have what's challenges that we have people were panic buying toilet paper so consumers were not provided with toilet paper but the industry products they were there if you have these huge louvres that you have an industry and and use them for home purposes and everyone then starts using industry products in the domestic area then of course these products cannot be simply exchanged because the factory lines are different so this including panic buying led to blockages and logistics was a challenge too because large roles have to be packed quite differently so normally you run this in pallets but the number of packages per packet per palette was quite different the use of alternatives was regarded as a challenge so you have handkerchiefs moist tissues and these are actually ripping resistance in contrast to toilet paper that dissolves so we're talking about alien objects in sewage and that of course would then impede sewage plants you would have blockages there and or you have to change your cleaning procedures which gives you more waste that solid waste that you have to dispose of so even the lorry drivers that transported the solid waste away led to deposits being critical as well so there was a kind of self-regulation by retail regarding panic buying people were not given indefinite amounts of toilet paper and production was changed as well so you had motos such as everyone can only buy one packet of toilet paper the first one will be 399 and this every second package will be 15 euro for those that say I'm not going I'm not panic buying but still so the use of alternatives and problems at sewage plants that was a problem because as I said these alternatives could lead to blockages so the sewage plant operators were communicating about alternatives such as mobile bidets showering perhaps so people were trying to keep people from inserting solids into the sewage system and that I think went ahead mostly in turn in turn in transparently I was in touch with operators but that has not been very much noticed and then you have computing centers in a quarantine area if there are curfews and you cannot reach your computing center how do the staff get there so getting in touch with the health services to get special permits that's something you have to take care of and at this point they didn't quite know these health local health authorities didn't quite know what their responsibilities were so I for one was given a special permit from my employer because I do services for operators of critical service infrastructure so if I were to visit someone's plant or office which was quite rare from February but it did occur I did have the option to have this received together with my ID in my pocket and I could go so that was the one thing and the other was implementing journal-based asynchronous replication over large distances so you had redundant structures in a non-quarantine area ideally but if there is a worldwide pandemic then there is no guarantee that all perhaps redundant locations would be subject to curfews so that was a challenge too and that went quite smoothly normally but yes all my colleagues and all the others worked together and they said hey go there and this is the template and this is the text and just do it do it and times the essence then limit in the shops we talked about toilet paper we were now talking about noodles in the beginning everything was there but all the supply chain did not work the just-in-time delivery did not work and there were limits in the in storage facilities and because of the border controls uh especially from Poland to Germany sometimes there were over 60 kilometers of of traffic and it took days for them to arrive to Germany and truck drivers who arrived sometimes had to sit in quarantine for 14 days before they can't could return and sometimes got ill here or drove outside and and got ill there and of course there were significant some real issues but there were also a 14-day wait time and therefore they could not exchange quickly enough turn around quickly enough the additional storage there were temporal limits temporal what was done against that Aldi said oh yeah these pass the deficit this is not appropriate and we have to move more by rail and with D.B. Schenker they said okay let's don't use trucks but use D.B. Schenker use 16 ton noodle past Italy and that way we don't have a deficit of course that took a while until it was changed around there were regulatory issues but between the different trade partners there were new new contracts and the Deutsche Bahn had to had to work with that and how can we deliver that by train to the storage point and how do we get them there that's a lot of work to keep the supply chain up to date but in the end everything worked we all had toilet paper and pasta and everything and food and everything so the goods were quickly re-established then we had issues with waste disposal not only with the but also the private rubbish the removal of rubbish removal is not a critical infrastructure according to the regulations but that also leads to issues if it does not happen both in the environment and with the health issues the the recycling centers were closed and but also the pickup was less less often so trash pickup wasn't because there were less employees at the time and how can we get around that there were some solution issue thoughts uh one was that rubbish waste disposal was it might be added to critical infrastructure to the list of critical infrastructures and the result to how how the waste is handled is is also an issue there might be coronavirus through through waste disposal because that's burned at a heart a hotter temperature and all waste from hospitals in that had corona viruses were transported as dangerous materials and that means they had to be transported differently but uh that that also happens sometimes a few towns called on their inhabitants to in the family to to change that but if you're ill you first of all think about members in your family and not how to dispose of your waste and then there was also the question of IT infrastructure in hospitals there were ransom attacks on hospitals so uh thank you for the incident response people that they try to keep the IT infrastructure of hospitals and surgeries up to date everywhere and running despite despite viruses and everything and ransomware so but if there is ransomware there are changes in the in in in how hospitals can be run with the ransomware there are limited information to patients and limits in the laboratory capacity so that all increases the issues so that was in corona in the test center that was attacked and and there's a crisis within the crisis we have the crisis pandemic and then there is an additional crisis with ransomware so if if a crisis is bad and a crisis within a crisis is even worse so what can we do work to IT security properly keep stick to the rules and regulations there is a special law about the future of hospitals where IT infrastructure money is available it was delayed for years but you can also take IT security companies to help you sometimes they even have specialists because they are cyber insurance that can help you to restart your your infrastructure sometimes really strange infrastructure with the windows 1995 and old old protocols and they need a crisis management that can handle two crises at the same time that's and those are all points that can help against the attack of interest ransomware so let's some link to the my last talk on the the d-walk the ppt from last year about how it is to work as a great critis who which is about yeah and thank you very much and we will go back to the questions and answers can't hear anything yet yeah well that is this mute button that is sometimes critical even especially in tacos yeah sometimes various things my ear can be critical yeah applause applause you may have only seen it at first thank you so much for this talk and well it's one module coming into place after the next i wonder what your next talk is going to be maybe this is going to be a sequence of lectures that you can access from media.ccc.de and that might may actually get some good funding now about the questions and comments in the pad the link to the pad is to be found in the page on this talk and you can write into this pad in real time now i will see that okay and while i say that of course new questions are coming in so how about heating infrastructure isn't that part of critical infrastructure too? Well yeah heating infrastructure i think that is building heating i think that is down there is a these individual components are not part of critical infrastructure but there are components that are the mass supply such as power stations that provide electricity or district heating refineries that produce fuels the heating network in a large house is the individual case the individual supply that is not part of the definition of critical infrastructure because if that fails you can call for someone to repair that but if you have district heating where a whole downtown district is supplied you've we've seen that in texas when they had uh there's no storm they had a complete blackout so you had people they're saying that they will provide their own network uh which meant that people when that failed had no heating and no water and that was at a time when it was quite cold so water pipes froze and burst and when they thought and when electricity was back now all these burst pipes then leaked and so that went led to water damage so that was the power network that failed yeah you can listen to american podcasts that is quite a drama yeah now next question how about crafts people well they would have to be supplying more than 500 000 people in order to be critical craftsmen I don't know now regarding wholesale people that supply metro and others um those that supply retail um with foods um food they sell that is critical infrastructure if they supply more than 500 000 people and that is the case with some companies in retail or wholesale and that dairy is of course as well which are in the food sector as well so companies that are regarded as critical to their service by um kind of inheriting that status towards their suppliers is that inherited to their suppliers of those critical infrastructure well if I am a critical operator then I have to make sure that my um devices uh can keep running it's not just the it part of it um there is a law on the it for that so the there is the technology that keeps the process running you have to make sure that these suppliers for those it components that can access it remotely if necessary that's a nightmare in itself which I talked about the experience of one operator in in the other talk um because the the remote maintenance archaeologists were had to be had to be invoked so all this has to be regulated in contracts with their suppliers but what does not what is not inherited is the status from the basic supply chain these basic supply is fundamental but for a dairy perhaps to make sure that trucks can still reach and that is no longer connected to it and whether that arrives or not I know not quite sure um okay on with the questions to what extent is critical infrastructure it and what is just simply provision of I don't know basic existence well there are about 200 000 uh 2000 critical infrastructures in Germany that is I think 1600 plant categories are registered um so plants that supply more than 500 000 people in general emergencies supply which is which encompasses much more Christ's management of federal states the federal government that all comes into play here the German Red Cross for example or the volunteers fire brigades that's all part of a disaster response and what helps in extreme emergencies with which is um kind of failed by design um things you'd only use in emergencies and you try to get off using these structures because um if you have to rely on these extra capacities permanently then any further disturbance will make that fail and I don't know if there are numbers um apart from what's published the um technical response teams have about 85 000 volunteers or 85 000 members many of them volunteers and you cannot break this down too well okay what is your idea about the finance your impression of the finance sector so um payment services directive two no login without two factor authentication well you have to say that this sector finance and insurance if you just look at the banking part of that and leave insurances aside then these people have old systems in place um with complex infrastructures I think Deutsche Bank had about 7 000 various applications and core components and one application can be as complex as you wish but you have to be fair and say that they are fairly much regulated so if there is an incidence at a bank it has to be reported to the european central bank the german federal bank their own insurances if they have any but most do you have to report to the authorities on finance and it so they are perhaps over-regulated or strongly regulated so if you look at the u.s provisions there um you have branches in the u.s and you have to report to new york then if Singapore if which demands a local office with their own regulations so you have to issue a separate report there and uh we will not well say e-money licenses at the uk stock exchange so you can report and report to exhaustion and you have all these regulations that sometimes contradict so it's not by no means trivial um where millions of people work and and expect their money to come out of the atms so you can't just quickly adapt this so it is not kind of it's kind of bad it's over-regulated um but on the other hand it's bad um because it leads to a never change of running system situation if you touch it it will all explode so no one wants to touch it so sneak preview the itc security law to all will introduce all that it will become more senseless so i'm worrying already all the six experts in the german parliament i was one of them um were against that even those connected to the conservatives but simply the ministry wasn't interested and said oh yeah we're the best our new law is going to be great and yeah finally i had to just think of that hearing because in that hearing you talked so much and you never reached the end and there are more and more questions in the pad too so while we talk ever more questions to come in i it's very interesting to see what comes in now how about logistics why isn't that critical yet because without logistics no infrastructure can work right well that's easy the transport and traffic infrastructure well everything that supplies more than 500 000 is covered next question um to what extent do you look at packets packaged versions and dependencies if you work with customers i think many certifications it seems did only check whether libx has the newest version but what people don't seem to look at how old how dated how buggy is that newest version well a critical infrastructure check is only a check it's not a certification so there is no bad you just get told whether you have adhered to the legal requirements um but the the problem with certifications of course is known to me because i know a few certifiers so perhaps if these people don't know what secure software means and what life cycle changes and upgrades and how to what extent you have to look at dependencies not every feature maybe there is a feature i don't want to care about but how about a security upgrade but many then do not look at the libraries because they don't look so deeply because that of course is kind of sad because that is one of the big gaps that you can encounter yeah then there were new results about the criticality about infrastructure that were not regarded as critical so pharma production care home supplies European cloud providers cloud computing um yeah for me yeah for the critical infrastructure working group too but for the operators and the employees yes but for some business institutions maybe not the German government yeah well and and the interior ministry ah yeah sure we will just add waste deposits this puzzle and then we'll be fine and then there's funny and then here and there add something and then it's all great my personal opinion is that was a complete fail and failure here because the real needs were not addressed um they just covered things up and said oh everything's fine that's what it looks like here now a very interesting question how about the food industry is there a difference there that's being made between say a dairy and a candy factory factory no if you supply more than 500 000 if you if you have to ensure that supply then you are regarded as critical but there are different categories of of plants so production etc of food etc and these categories if you are in one of these categories and you supply more than 500 000 people um a one example there is a bit outside is alcohol because it's been said that water is just about water and not alcoholic drinks now we get to the last question what is the most vulnerable the most brittle sector i think with the highest risk of failure that's electricity that is the basis of everything if that fails then telecommunication fails and everything else will then fail if you want to look into that further then read blackout by mark elsberg that is quite close to reality and then there is the ta bundestag the german parliament has commissioned a blackout study in 2012 which is a long document and they really did scientific research what would happen in a blackout in what order things would fail and if that isn't enough for you then you may read 42 degrees which is over 42 grad which is a book that describes it or from the point of view of water but electricity is clearly the basis for everything um telecommunication is of course quite central as well so thank you thank you thank you for the talk for the answers and the three questions that are still there uh the the answers will surely be added uh so you can comment on those and you can leave your feedback there uh and another virtual applause applause applause and now let's return to the main program and i'm